Thursday 1 January 2009

Howto: Add a Digital Signature to a Firefox Add-on

There is a nice Firefox add-on we’ll use to achieve this: Key Manager. But the subordinate CA certificate we create is not suited to sign XPI files, because it doesn’t state explicitly that it can be used for code signing. We have to create another one with an extendedKeyUsage property for code signing.

First we need to create a config file with the extended key usage, eku.cnf:

[eku_codesigning]
extendedKeyUsage=codeSigning

Then we issue the next OpenSSL commands to create a new certificate and PKCS12 file:

When installing this signed Firefox add-on, we get to see the identity of the signer:

For an unsigned add-on, it says “Author not verified”:

If we don’t trust the root CA for code signing (or the root CA certificate is missing), we can’t install the add-on!

So it doesn’t make sense to sign a Firefox add-on with your own self-signed certificate if you plan to make it public (e.g. publish it on the Mozilla add-on site). Users will not be able to install your add-on if they don’t have imported and approved your root CA certificate.